Dynamic LDAP server configuration

[splatEric]

Is there a way of setting up a generic LdapRecord model that could authenticate users from any number of Ldap configurations that are stored in the database, rather than needing each of the connections and LdapRecord classes to be hard coded in the system?

Essentially I want to be able to configure multiple ldap servers through an admin screen, storing the necessary details in the database. These different authentication options would be presented on the login screen for people to choose and authenticate against. I was hoping to avoid having to deploy new configuration each time a new LDAP server was being brought on stream to provide an authentication service.

[stevebauman]

Hi @splatEric! This is a great question -- I'll answer the best I can to help you out.

---

TL;DR: Use Container::setDefaultConnection() prior to authentication, so all LdapRecord models will use the user selected LDAP connection.

---

I think this is definitely possible, and shouldn't be too difficult. Here is my initial thought process on how I would go about this:

1. Allow the user to store LDAP connection configurations inside a database table. These LDAP database connection entries will have a unique name column (which will be used later for registering the Connection and its configuration into the Container).
2. Create an LdapConnectionRegistrar class that is initiated upon a service providers boot(). It will be responsible for looping through all of the applications LDAP connections that have been added in the database, creating a Connection instance and adding it into the Container, so LdapRecord models can retrieve them.
3. Setup a single configured LdapRecord authentication guard that the connections will use (assuming they will all use the same configuration) inside of the applications config/auth.php file. Point this authentication guard to use an included LdapRecord model (or your own), but do not specify a $connection in its definition. If you're going to allow the use of multiple authentication guards, such as allowing normal database users to authenticate alongside LDAP users, this will get more complex.
4. On the applications login page, populate a <select> dropdown of LDAP connections that have been added in the database. The value of the dropdown options will refer to their name in the database column.
5. A user submits the login request (along with the chosen LDAP connection name from the <select> dropdown).
6. Prior to calling Auth::attempt(), set the default LDAP connection to the submitted one (you'll want some validation here as well to ensure it exists), then process the authentication attempt.
7. If you need to access the LDAP server that the user logged in with after the initial login request, you will need to save the user's selected LDAP server (after they have passed authentication) in their session, and then set the default LDAP connection (using Container::setDefaultConnection()) using that session key's value if it exists (likely in some service provider), i.e. Container::setDefaultConnection(session('ldap.connection')).

Below are some examples (keep in mind, they are pseudo-code).

Example LdapConnectionRegistratar:

use LdapRecord\Container;
use LdapRecord\Connection;
use App\Models\LdapConnection;

class LdapConnectionRegistratar
{
    public function register()
    {
        LdapConnection::all()->each(function (LdapConnection $model) {
            $connection = new Connection([
                'hosts' => [$model->host],
                // ...
            ]);

            Container::addConnection($connection, $model->name);
        });
    }
}

Example AppServiceProvider:

public function boot()
{
    try {
        // Register the LDAP connections from the database.
        (new LdapConnectionRegistratar)->register();
    } catch (PDOException $e) {
        // Migrations haven't been ran yet.
    }
}

Example LoginController:

use LdapRecord\Container;

public function login(Request $request)
{
    Container::setDefaultConnection($request->ldap);

    $credentials = [
        'mail' => $request->email,
        'password' => $request->password,
    ];

    if (Auth::attempt($credentials)) {
        session()->set('ldap.connection', $request->ldap);

        return redirect()->to('/dashboard');
    }

    return redirect()->back();
}

I hope this helps! Let me know if you need further guidance 👍

[splatEric]

This is really helpful, the detail and speed with which you came back to me is hugely appreciated, thank you.

I will be experimenting (hopefully over the next couple of days) and let you know how I get on!!

[stevebauman]

Happy to help @splatEric! 😄